diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 000000000..a077d4ce8
--- /dev/null
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,37 @@
+name: Build and deploy
+
+on:
+  push:
+    branches:
+      - main
+
+    tags:
+      - v*
+
+  workflow_dispatch:
+
+jobs:
+  deploy-dev:
+    # if this job runs on a branch, we deduce that code
+    # has been pushed to main and should be deployed to dev
+    if: ${{ github.ref_type == 'branch' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Deploy to cloud.gov sandbox
+        uses: 18f/cg-deploy-action@main
+        env:
+          DEPLOY_NOW: thanks
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: sandbox-gsa
+          cf_space: dotgov-poc
+          push_arguments: "-f ops/manifests/manifest-dev.yaml"
+
+  # deploy:
+  #   # if this job runs on a tag, we deduce that code
+  #   # has been tagged for release and should be deployed to
+  #   # ____? (staging? prod?)
+  #   if: ${{ github.ref_type == 'tag' }}
diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml
new file mode 100644
index 000000000..c772033ae
--- /dev/null
+++ b/.github/workflows/migrate.yaml
@@ -0,0 +1,34 @@
+name: Run Migrations
+
+# This workflow can be run from the CLI
+#     gh workflow run migrate.yaml -f environment=sandbox
+# OR
+#     cf run-task getgov-dev --wait \
+#        --command 'python manage.py migrate' --name migrate
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Where should we run migrations
+        options:
+        - sandbox
+        - production
+
+jobs:
+  migrate-dev:
+    if: ${{ github.event.inputs.environment == 'sandbox' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Django migrations for sandbox
+        uses: 18f/cg-deploy-action@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: sandbox-gsa
+          cf_space: dotgov-poc
+          full_command: "cf run-task getgov-dev --wait --command 'python manage.py migrate' --name migrate"
+
+  # migrate:
+  #   if: ${{ github.event.inputs.environment == 'production' }}
\ No newline at end of file
diff --git a/ops/README.md b/ops/README.md
new file mode 100644
index 000000000..c41718d4c
--- /dev/null
+++ b/ops/README.md
@@ -0,0 +1,61 @@
+# Operations
+========================
+
+This directory contains files related to deploying or running the application(s).
+
+## Authenticating
+
+You'll need the [Cloud Foundry CLI](https://docs.cloud.gov/getting-started/setup/).
+
+We use the V7 Cloud Foundry CLI.
+
+```shell
+cf login -a api.fr.cloud.gov --sso
+```
+
+After authenticating, make sure you are targeting the correct org and space!
+
+```bash
+cf spaces
+cf target -o <ORG> -s <SPACE>
+```
+
+## Rotating Secrets
+
+Secrets were originally created with:
+
+```sh
+cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
+```
+
+Where `credentials-<ENVIRONMENT>.json` looks like:
+
+```json
+{
+  "DJANGO_SECRET_KEY": "EXAMPLE",
+  ...
+}
+```
+
+You can see the current environment with `cf env <APP>`, for example `cf env getgov-dev`.
+
+The command `cups` stands for [create user provided service](https://docs.cloudfoundry.org/devguide/services/user-provided.html). User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in `manifest-<ENVIRONMENT>.json`.
+
+To rotate secrets, create a new `credentials-<ENVIRONMENT>.json` file, upload it, then restage the app.
+
+Example:
+
+```bash
+cf uups getgov-credentials -p credentials-dev.json
+cf restage getgov-dev --strategy rolling
+```
+
+Non-secret environment variables can be declared in `manifest-<ENVIRONMENT>.json` directly.
+
+## Database
+
+In sandbox, created with `cf create-service aws-rds micro-psql getgov-database`.
+
+Binding the database in `manifest-<ENVIRONMENT>.json` automatically inserts the connection string into the environment as `DATABASE_URL`.
+
+[Cloud.gov RDS documentation](https://cloud.gov/docs/services/relational-database/).
\ No newline at end of file
diff --git a/ops/manifests/README.md b/ops/manifests/README.md
new file mode 100644
index 000000000..c5b9618ff
--- /dev/null
+++ b/ops/manifests/README.md
@@ -0,0 +1,4 @@
+# Manifests
+========================
+
+This directory contains files used by the deployment pipeline to deploy to Cloud.gov.
\ No newline at end of file
diff --git a/ops/manifests/manifest-dev.yaml b/ops/manifests/manifest-dev.yaml
new file mode 100644
index 000000000..97b1511fe
--- /dev/null
+++ b/ops/manifests/manifest-dev.yaml
@@ -0,0 +1,23 @@
+---
+applications:
+- name: getgov-dev
+  buildpacks:
+    - python_buildpack
+  path: ../../src
+  instances: 1
+  memory: 512M
+  stack: cflinuxfs3
+  timeout: 180
+  command: gunicorn registrar.config.wsgi -t 60
+  health-check-type: http
+  health-check-http-endpoint: /health
+  env:
+    # Send stdout and stderr straight to the terminal without buffering
+    PYTHONUNBUFFERED: yup
+    # Tell Django where to find its configuration
+    DJANGO_SETTINGS_MODULE: registrar.config.settings
+  routes:
+    - route: getgov-dev.app.cloud.gov
+  services:
+  - getgov-credentials
+  - getgov-database
\ No newline at end of file
diff --git a/src/runtime.txt b/src/runtime.txt
new file mode 100644
index 000000000..a015b8196
--- /dev/null
+++ b/src/runtime.txt
@@ -0,0 +1 @@
+3.10.x